Remove lstrip & os.sep on targetpath & pathpattern

For targetpath: we don't want to support corner cases such as file paths starting with separator. Why this case should be threated specially than any other case where you have multiple "/" for example "foo//bar/tar.gz"? For pathpattern: it's recommended that the separator in the pathpattern should be "/": see https://theupdateframework.github.io/specification/latest/#targetpath I believe it could lead to issues for a client implementation if it supports arbitrary separators - every implementation needs to choose one and stick with it. Then, if we decide that "/" is our separator using lstrip on "os.sep" is wrong, because the os separator from the server could be different that the one used in the client. Because of the above arguments, it makes sense to just remove lstrip on os separators. Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
theupdateframework · Aug 25, 2021 · 16ca84d · 16ca84d
1 parent 122c8af
commit 16ca84d
Showing 1 changed file with 1 addition and 5 deletions.
diff --git a/tuf/api/metadata.py b/tuf/api/metadata.py
@@ -19,7 +19,6 @@
 import fnmatch
 import io
 import logging
-import os
 import tempfile
 from collections import OrderedDict
 from datetime import datetime, timedelta
@@ -1098,10 +1097,7 @@ def is_delegated_path(self, target_filepath: str) -> bool:
                 # are also considered matches. Make sure to strip any leading
                 # path separators so that a match is made.
                 # Example: "foo.tgz" should match with "/*.tgz".
-                if _is_target_in_pathpattern(
-                    target_filepath.lstrip(os.sep),
-                    pathpattern.lstrip(os.sep),
-                ):
+                if _is_target_in_pathpattern(target_filepath, pathpattern):
                     return True
 
         return False